BLOG

Spamhaus under major dDOS

Late last night I, and a number of other folks, received mail from Spamhaus informing us of a major denial of service attack against their servers. The attack is so bad that the website and main mailserver is currently offline.

DNS services, including rsync and the mirrors, are up and running.

Spamhaus is working to bring the mailserver and website back up, and are hoping to have it up later today.

If there are any critical or particularly urgent SBL issues today, contact your ESP delivery team. The folks who were contacted do have an email address for urgent issues. This is not an address for routine queries, however, and most listees are going to have to wait until normal services are restored to have their listing addressed.

If there is something particularly urgent and your ESP or delivery team does not have a contact address, you can contact me an I can see what I can do.

UPDATE: Most of the IPs people have sent me are actually XBL/CBL listings. But right now the CBL webserver is responding slowly due to the DOS.

If you want to look up a listing without using the Spamhaus website you can use the “host” or “dig” command line tools. To do this reverse the digits in the IP address and append zen.spamhaus.org on the end.

So for the IP 10.11.12.13 you would query 13.12.11.10.zen.spamhaus.org

26 comments

Dave says

Thanks a lot for your Post Laura, One of my servers was suddenly listed on spamhaus’s SBL list all of a sudden, so we are wrapped up in this situation as well. To circumvent this we are trying to adjust our external IP address to speed up return to service.

Anyone else seeing “sudden listings” I can help, but only if you give me an IP address. There shouldn’t be an increase in listings. Many Spamhaus folks haven’t had time to do any listing work recently.

We were on the CBL and ZEN listing started Friday morning. We’ve since worked around the problem by using a NAT rule to advertise a different external IP address and updated external DNS, this worked immediately and started getting mail flowing, contact your network administrator’s!
We are not a marketing company, so how we got on the list is a concern.

Laura, your insight and communication about this is greatly appreciated!

I have other external IPs I could use too… but that’s only temporary if the other IP gets listed due to the root cause of the problem. I’d also like to know how I got listed (like Jamie). I see no evidence of anything going out due to infected PC’s (we block port 25 going out for all but our mail server, mail server logs show it’s healthy with no strange e-mails for the last few hours, and nothing going to port 80 to the pushdo sinkhole (I can’t block port 80 outbound or people can’t visit websites!) I could block to certain subnets like the subnet the pushdo sinkhole is on. Still bummed I’m listed…

I wanted to thank Laura here on the blog for all of her help today. We are now de-listed thanks to her connections with some folks at Spamhaus (that don’t require use of their currently DDOS’d website)! We have isolated the root cause to some infected machines that use outbound stuff on port 80 (which we don’t block so people can use the web)! So we are now confident that we wont get re-listed. Thanks again Laura.

Laura: Have you noticed any change in spammer traffic or anything due to the Spamhaus outage? I know RBL’s weren’t down but the resources needed to list new IPs from spamgang runs were limited or down so I was curious if this was a coordinated attack in conjunction with huge spam runs?

[…] Last night Spamhaus was the target of a distributed denial of service attack (DDoS) which at the time of this post is still happening. The attack is so great the admins of SpamHaus sent out an email informing the public of the severity of the attack. Original posting source of the attack can be found at the Word to the Wise via Laura Atkins. […]

We did manage to get into spamHaus’s website yesterday, I must say spamHaus gives great info on why you are blocked. While the dDoS was occuring, we moved our mail server to a dedicated new external NAT IP, immediately fixed the problem. Investigating further, one of our 2ndary utility mail server’s was using the same NAT IP as our web/http workstation traffic, this is key as we found the culprit was an infected workstation with the Zbot/Zeus trojan, so it triggered the IP address blacklist, and mail was impacted as a result of this.

[…] anti-spam DNS blacklist service, has been hit by a severe DDoS attack over the weekend. Users have been informed by Spamhaus of certain services like their website and email server being unavailable, with them […]

[…] servers. The attack is so bad that the website and main mailserver is currently offline,” said Laura Tessmer Atkins of anti-spam consultancy Word to the Wise, in a blog posted Monday. “Spamhaus is working to […]

Our company’s IP address is blacklisted. I found the trojan and have removed it. But because CBL’s website is still down, I am not able to remove our company from the blacklist. In the meantime, a majority of our emails are being bounced back. I’ve sent an email to CBL, but since their website is down, what are the chances they will get the email? This is a major problem when our business is being affected by this. Is there anyway to be removed from their blacklist?

[…] service, became inaccessible. No one knew what was going on until Monday, when the company started notifying its customers of a massive distributed denial-of-service (DDOS) attack against its servers. Shortly after, […]